CVE-2023-27638
published 2023-03-22CVE-2023-27638: An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised…
PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.30%
87.0th percentile
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised tshirtecommerce_design_cart_id GET parameter in order to exploit an insecure parameter in the functions hookActionCartSave and updateCustomizationTable, which could lead to a SQL injection. This is exploited in the wild in March 2023.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tshirtecommerce | custom_product_designer | — | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
fofa-query: body="Prestashop" && body="tshirtecommerce"
- →Detect time-based blind SQL injection attempts via the tshirtecommerce_design_cart_id GET parameter; look for payloads containing OR SLEEP() or similar time-delay functions in requests to /module/tshirtecommerce/designer ↗
- →The vulnerability is unauthenticated; any request to the designer endpoint with a manipulated tshirtecommerce_design_cart_id should be treated as suspicious regardless of session state ↗
- →Use a time-based detection threshold: responses to /module/tshirtecommerce/designer with duration >= 8 seconds indicate successful SLEEP() injection ↗
- →Fingerprint vulnerable PrestaShop instances by checking for co-presence of 'prestashop' and 'tshirtecommerce' strings in the HTTP response body before probing the injection endpoint ↗
- →Active exploitation in the wild was observed in March 2023; prioritize detection on PrestaShop instances running tshirtecommerce (Custom Product Designer) version 2.1.4 ↗
- ·The Nuclei template uses a 30-second timeout for the time-based injection request; detection infrastructure must be configured to allow sufficiently long HTTP timeouts or the SLEEP-based probe will be missed ↗
- ·The template is gated on a two-step flow: the first request must confirm both 'prestashop' and 'tshirtecommerce' in the response body before the injection probe fires; single-step scanners will need to replicate this pre-check ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jm4q-f3h3-j5cf: An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2
ghsa_unreviewed·2023-03-22
CVE-2023-27638 [CRITICAL] CWE-89 GHSA-jm4q-f3h3-j5cf: An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised tshirtecommerce_design_cart_id GET parameter in order to exploit an insecure parameter in the functions hookActionCartSave and updateCustomizationTable, which could lead to a SQL injection. This is exploited in the wild in March 2023.
VulnCheck
tshirtecommerce custom_product_designer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2023·CVSS 9.8
CVE-2023-27638 [CRITICAL] tshirtecommerce custom_product_designer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
tshirtecommerce custom_product_designer Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
An issue was discovered in the tshirtecommerce (aka Custom Product Designer) component 2.1.4 for PrestaShop. An HTTP request can be forged with a compromised tshirtecommerce_design_cart_id GET parameter in order to exploit an insecure parameter in the functions hookActionCartSave and updateCustomizationTable, which could lead to a SQL injection. This is exploited in the wild in March 2023.
Affected: tshirtecommerce custom_product_designer
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://security.friendsofpresta.org/module/202
No detection rules found.
Nuclei
tshirtecommerce PrestaShop Module - SQL Injection
nuclei·CVSS 9.8
CVE-2023-27638 [CRITICAL] tshirtecommerce PrestaShop Module - SQL Injection
tshirtecommerce PrestaShop Module - SQL Injection
The tshirtecommerce module for PrestaShop is vulnerable to unauthenticated SQL injection via the tshirtecommerce_design_cart_id parameter, allowing attackers to execute arbitrary SQL queries and extract sensitive information from the database. This is due to lack of input sanitization, as shown in the patch where pSQL() is now used.
Template:
id: CVE-2023-27638
info:
name: tshirtecommerce PrestaShop Module - SQL Injection
author: ritikchaddha
severity: high
description: |
The tshirtecommerce module for PrestaShop is vulnerable to unauthenticated SQL injection via the tshirtecommerce_design_cart_id parameter, allowing attackers to execute arbitrary SQL queries and extract sensitive information from the database. This is due to lack of in
https://codecanyon.net/item/prestashop-custom-product-designer/19202018https://friends-of-presta.github.io/security-advisories/module/2023/03/21/tshirtecommerce_cwe-89.htmlhttps://tshirtecommerce.com/https://codecanyon.net/item/prestashop-custom-product-designer/19202018https://friends-of-presta.github.io/security-advisories/module/2023/03/21/tshirtecommerce_cwe-89.htmlhttps://tshirtecommerce.com/
2023-03-22
Published
Exploited in the wild